Rule is not getting triggered properly

[Mark tad]

Hello Wazuh Team,

i am trying to build a rule for the below log but it is not triggering can you help me why below is log and i am trying to match the dt value if less than 13 and on the same time the 3rd value of v i.e. “v”:“0,0,20,97,10,40,67500,1,0,60,40,50,60,60" is less than 50 than it should raise an alert but it is not doing and here is my rule

let me know what i am doing wrong
<rule id="100002" level="6">
  <decoded_as>json</decoded_as>
  <description>Power generated is less than 13 (actual value: $1).</description>
  <group>custom,power_alert</group>
  <match>dt: 13</match>
  <regex field="v">^(\d+),(\d+),(\d+),(\d+),(\d+),(\d+),(\d+),(\d+),(\d+),(\d+),(\d+),(\d+),(\d+),(\d+)</regex>
  <field name="v[3]" operation="lt" value="13"/>
</rule>

Log 
{"t":1737391191000,"site_id":701256028,"c":"802122273195.1","z":1737391202,"f":0,"v":"0,0,20,97,10,40,67500,1,0,60,40,50,60,60","vd":300,"b":"02df02fa00ae010d02800c067b0c157d0c10050f010f1816801c63060bc7ff01009f111300b7f71000a0029f029d029e0201007f000000000000000000000001021baa620fd6274006f401800c0115035800372012000006319802e998020800","dt":13}

*Phase 1: Completed pre-decoding. full event: '{"t":1737391191000,"site_id":701256028,"c":"802122273195.1","z":1737391202,"f":0,"v":"0,0,20,97,10,40,67500,1,0,60,40,50,60,60","vd":300,"b":"02df02fa00ae010d02800c067b0c157d0c10050f010f1816801c63060bc7ff01009f111300b7f71000a0029f029d029e0201007f000000000000000000000001021baa620fd6274006f401800c0115035800372012000006319802e998020800","dt":13}'

 
**Phase 2: Completed decoding. name: 'json' b: '02df02fa00ae010d02800c067b0c157d0c10050f010f1816801c63060bc7ff01009f111300b7f71000a0029f029d029e0201007f000000000000000000000001021baa620fd6274006f401800c0115035800372012000006319802e998020800' c: '802122273195.1' dt: '13' f: '0' site_id: '701256028' t: '1737391191000.000000' v: '0,0,20,97,10,40,67500,1,0,60,40,50,60,60' vd: '300' z: '1737391202' 

[hasitha.u...@wazuh.com]

Hi Mark, I have seen that your custom rule has syntax errors, that’s why it’s not working.

First thing you used <match>dt: 13</match> in your rule, the match tag will used to match the exact content of your full log.
You should replace with this  <match>"dt":13</match> https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html#rules-match

Secondly you cannot use the <regex field="v">^(\d+),(\d+),(\d+),(\d+),(\d+),(\d+),(\d+),(\d+),(\d+),(\d+),(\d+),(\d+),(\d+),(\d+)</regex> like this.
Instead, you can write like this.
<field name="v" type="osregex">\d+,\d+,\d+,\d+,\d+,\d+,\d+,\d+,\d+,\d+,\d+,\d+,\d+,\d+</field>

You cannot use the field in the regex tag, https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html#regex

However, you can use regex in the field I created.
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html#rules-field

There are no attributes called operation and value in the field tag used. You can refer to the above-mentioned document to have a clear idea.

However, I have created a custom rule according to your logic.
You can add this rule to the /var/ossec/etc/rules/local_rules.xml file.

1. <group name="power-alert">
2.  
3. <rule id="102001" level="6">

1.   <decoded_as>json</decoded_as>
2.   <description>Power generated is less than 13 (actual value: $1).</description>
3.   <group>custom,power_alert</group>
4.   <match>"dt":13</match>

1.   <field name="v" type="osregex">\d+,\d+,\d+,\d+,\d+,\d+,\d+,\d+,\d+,\d+,\d+,\d+,\d+,\d+</field>
2. </rule>
3.  
4. </group>

To learn more about custom rule creation you can follow these documents.
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html

https://documentation.wazuh.com/current/user-manual/ruleset/rules/custom.html#custom-rules

https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/

Let me know if you need further assistance

Regards,
Hasitha Upekshitha

[Mark tad]

Hasitha,

Is it possible to check the third value of v":"0,0,20,97,10,40,67500,1,0,60,40,50,60,60" in the log if it is less than certain value ?  {"t":1737391191000,"site_id":701256028,"c":"802122273195.1","z":1737391202,"f":0,"v":"0,0,20,97,10,40,67500,1,0,60,40,50,60,60","vd":300,"b":"02df02fa00ae010d02800c067b0c157d0c10050f010f1816801c63060bc7ff01009f111300b7f71000a0029f029d029e0201007f000000000000000000000001021baa620fd6274006f401800c0115035800372012000006319802e998020800","dt":13}

[hasitha.u...@wazuh.com]

Hi Mark,

I have created a custom rule for your requirement, You can replace this custom rule with yours. This will check if the third value is less 13 and matches "dt":13 then this rule will trigger.

1. <group name="power-alert">
2. <rule id="102321" level="6">
3.   <decoded_as>json</decoded_as>
4.   <description>Power generated is less than 3.</description>

1.   <group>custom,power_alert</group>
2.   <match>"dt":13</match>

1.   <field name="v">^\d+,\d+,1,\d+,\.+|^\d+,\d+,2,\d+,\.+|^\d+,\d+,3,\d+,\.+|^\d+,\d+,4,\d+,\.+|^\d+,\d+,5,\d+,\.+|^\d+,\d+,6,\d+,\.+|^\d+,\d+,7,\d+,\.+|^\d+,\d+,8,\d+,\.+|^\d+,\d+,9,\d+,\.+|^\d+,\d+,10,\d+,\.+|^\d+,\d+,11,\d+,\.+|^\d+,\d+,12,\d+,\.+</field>
2. </rule> </group>

Once apply this rule make sure to restart the Wazuh manager to apply changes.
systemctl restart wazuh-manager

Let me know how it goes, further you can learn more about how to write regex patterns by referring these documents.
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/regex.html
https://documentation.wazuh.com/current/user-manual/ruleset/decoders/custom.html
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/decoders.html

https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html
https://documentation.wazuh.com/current/user-manual/ruleset/rules/custom.html#custom-rules
https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/

Let me know if this helps.